The employee, who since has been fired after he violated department policy, downloaded the new trojan, which did not yet carry a signature, according an agency statement issued last week. The trojan recorded the employee’s keystrokes and delivered them back to a receiving site.
The state began sending letters last week, notifying affected parties that their names, addresses and Social Security numbers may have been compromised.
"I want the citizens of Oregon to know that we are taking every possible action to ensure that the people affected by this breach receive immediate notification, and that the state of Oregon will do everything possible to guard against any further compromise of their personal information," Gov. Ted Kulongoski said in a statement last week.
Since announcing the breach, which occurred some time in May, the DOR has restricted employee’s internet use to business matters only, the agency statement said. This is the first time such a malicious incident has occurred at DOR.
"We are taking this very seriously and examining every piece of data that the trojan picked up," the statement said. "We have a team of experienced computer security personnel that continue to work on this issue. Regretfully, because of the changing nature of these malicious programs, organizations cannot ensure 100 percent that they will catch every new virus, trojan or worm that is developed."
The governor promised a free credit-monitoring service for victims.
Oregon State Police are also investigating.